Serious Flaw/Weakness in AppleID Account Recovery in the Event of a Hack

[LewisChapman]

This. But if they didn’t opened the door for the feds who could be more important?

Either, Apple open said backdoor for the feds and nobody would have been the wiser. OR, they could have denied the access, let the press know and achieve ultimate awareness of their pledges to privacy, which consequently provides them with a prominent USP in the smartphone market.

Or maybe the backdoor doesn't exist.. it's all just speculation haha

 

[LarsN.]

Hey OP, any news on this that you are allowed to share with us?

 

[redheeler]

I finally found how the hacker got in. I have probably 30 mac and idevices, but only 10 that were associated with this AppleID. I forgot about a headless mac mini that I have running time machine (encrypted) backups in a closet. I had an external port forwarded for VNC (stupid I know). They were able to log in to that computer (my password was random, but only 6 characters). They changed the computer password, but I was able to log into a different administrator's account and regain control of the computer. Thankfully, that computer didn't really have any useful info on it. Open on the desktop were Keychain, a web browser with PayPal, Ebay, some Chinese eBay like site and another financial page. I don't keep any log in info for things like that in keychain and have never even been to those sites on that computer. I also have 2FA (SMS thank goodness) for both. So I removed the forwarded port and will obviously only be VPNing into that site when I want to screen share from now on.

So, the breach was a weakness in my architecture. Having said that, I really don't like Apple's implementation of 2FA. Its convenient when you don't have your phone around, but have another device close and you need to authenticate, but I'd prefer old fashioned SMS to a single cell phone or device. I realize that the pop-ups for confirming changes to the account go away from devices once one clicks an option and thus it would be pretty easy for the hacker to quickly press "yes" or whatever and not have me see any pop up on my phone. I think this is also a weakness. I don't know how much I could have done about it anyway. It all happened within a minute with just emails to my phone as evidence of what was happening.

Unfortunately, knowing how this happened and mitigating further damage still doesn't help me regain control of the account. I need the phone number that the hacker put on the account to do anything. I've submitted feedback to apple per their engineer's suggestion, but I won't be holding my breath for a fix any time soon.

I also can't sign out of "find my phone" on my iPhone or iPads without the password meaning that the hacker could erase my devices at any time if they are so inclined. So I've got that going for me....

I was wondering how your account with 2FA on could've possibly been compromised, but when you mentioned the Mac mini with the exposed VNC port it suddenly made sense. Tough situation to be in, knowing how it happened but also that there's nothing you can do.

 

[maxxodd]

Hey OP, any news on this that you are allowed to share with us?

Nothing beyond what I reported. I don't have access to my previous apple ID and the hacker still does along with all my data. I contacted some of the app developers that I had previously purchased with my old apple ID and most were really nice and transferred by purchase (after I provided proof) to my new apple ID. The only company that was entirely unsympathetic was Affinity. I really like Affinity Photo (I also have a subscription to photoshop and lightroom). I'll probably buy it again with my new ID, but can't say I'm pleased with the customer service.

I can say that I'm pretty happy that I've made some purchases directly through the developer rather than through the App Store when both were an option. I have a lot of apps that I've just decided to repurchase again rather than contact the developer when the app was $5 or something like that.

 

[maxxodd]

For anyone who may run into this problem, it's been a year, so I thought I'd check in with Apple to find out if anything had changed and there was a way for me to recover the account. Unfortunately, nothing has changed and there is no way to recover the account without knowing the phone number that the hacker changed on the account.

To add a little insult to injury, since he didn't change the email associated with the account, every month or so I get an email that my iCloud storage is full. Would I like to purchase more storage? I suppose I could create a filter for my email that would catch this and send it directly to the trash, but I still haven't gotten around to it.

 

[marigold22]

Welcome to my world. My icloud account has been hacked and as long as the hacker changes the phone number, I am locked out for good. For ALL THE MONEY we spend on Apple Devices, even if you are not a big spender on Itunes or the App store, Apple has GOT to get better security for icloud accounts. I have been hacked again and again and have done everything a 4.0 English major knows how to do. Every other vendor on the planet has a verification process for account owners; not Apple Icloud, even tho Icloud has many forms of private information stored inside it!!

Its like leaving a key under the mat and wondering how the neighborhood thief gained access to your front door.

Because you posted your solution about the mac mini and the exposed VNC port, I would ask you to explain what that is (the exposed VNC) because I would like to learn.

As for me, I only have three Apple devices and my Iphone is hacked most in terms of Icloud. My two ideas of how the hack occurs in my case is 1) If my phone is connected to my home WIFI there is a packet sniffer/ MITM action also happening on my ISP. 2) My SIM has been swapped and my hacker has control (can see all apps) on my phone; all he has to do is pull up the Apple Id and change the PW and phone associated with it.

I am not much of a forum user, so if this question needs to be the start of a new thread I will gladly do so but I would like to hear/ see comments in regard to the icloud hack/ vulnerability apple DOES have. Thanks.

 

[maxxodd]

Welcome to my world. My icloud account has been hacked and as long as the hacker changes the phone number, I am locked out for good. For ALL THE MONEY we spend on Apple Devices, even if you are not a big spender on Itunes or the App store, Apple has GOT to get better security for icloud accounts. I have been hacked again and again and have done everything a 4.0 English major knows how to do. Every other vendor on the planet has a verification process for account owners; not Apple Icloud, even tho Icloud has many forms of private information stored inside it!!

Its like leaving a key under the mat and wondering how the neighborhood thief gained access to your front door.

Because you posted your solution about the mac mini and the exposed VNC port, I would ask you to explain what that is (the exposed VNC) because I would like to learn.

As for me, I only have three Apple devices and my Iphone is hacked most in terms of Icloud. My two ideas of how the hack occurs in my case is 1) If my phone is connected to my home WIFI there is a packet sniffer/ MITM action also happening on my ISP. 2) My SIM has been swapped and my hacker has control (can see all apps) on my phone; all he has to do is pull up the Apple Id and change the PW and phone associated with it.

I am not much of a forum user, so if this question needs to be the start of a new thread I will gladly do so but I would like to hear/ see comments in regard to the icloud hack/ vulnerability apple DOES have. Thanks.

VNC is just a way to screen share. Apple has built in screen sharing, but if you want to access your computer remotely, you need to know your external IP address and forward a port to the device. Your external (WAN) IP address is like your house address. But you might have multiple people living in your house. You could consider these your devices. So, in order to route information to the right device (roommate in this analogy) you need to specify which port at that address to send information. Most routers have a firewall that don't allow external devices to connect with the internal (LAN) IP addresses. But, you can open specific ports in order to access devices or services from remote locations. Each port can then route information to a different (or same) device. Ports are closed usually by default. Hackers can probe IP addresses for open ports and then try to gain access to your network by infiltrating the device that the open port points to. In my case it was a mac computer with 6 digit password. VPN is a better option and this is how I currently am set up. Like everything else, VPN is not infallible, but it allows more security including login, password and secret key.

If you keep getting hacked, there are unfortunately a lot of ways this can happen, but in my limited knowledge, I think the most common way is that someone has access to a service you use to store your passwords/sensitive information. This could be apple keychain. It could also be your browser. For example, if you keep passwords stored in Chrome, someone could have access to your chrome login and each time you change your password, all it would take is you updating it in Chrome and they would have it again. I'd recommend against storing sensitive passwords in browsers. I use 1password, but I'm sure you could use a different password manager. From there, I'd just make sure your WiFi is password protected and you are running a firewall on your router with no unnecessary open ports. Change any password that may have been compromised and use different passwords for each of your accounts. Choose to use 2 factor authentication (2FA) for any site that allows it. Again, apple's implementation of 2FA is really only 1 factor if a hacker gets access to a "trusted device". They just need to know the device password and they can override the 2FA. This is a pain in the butt if you don't have a password manager program of some sort.

 

[johannnn]

Again, apple's implementation of 2FA is really only 1 factor if a hacker gets access to a "trusted device". They just need to know the device password and they can override the 2FA.

This is the KEY point here.
There are many articles about it, here is one related https://www.macworld.com/article/3387518/apple-icloud-2fa-flaws.html.

Keep your devices safe and secure. If you don't know how to keep your Mac secure, use products by Objective-See. They're the best in the game. And use common sense.

Depending on your ability to use common sense, it might be preferred to use a non-admin account. Or use a admin account and switch the admin-rights off with Privileges.app.

 

[Rigby]

Again, apple's implementation of 2FA is really only 1 factor if a hacker gets access to a "trusted device". They just need to know the device password and they can override the 2FA. This is a pain in the butt if you don't have a password manager program of some sort.

I agree that Apple 2FA is less than perfect (would much prefer if they simply used TOTP codes so we could use an authenticator app of our choice, and allowed us to generate backup codes), but I have one question: you described above how the hackers remotely accessed your Mac and then changed the trusted phone number associated with the account. But how did they do that? I just checked and my Mac asks for the user password if you want to add a trusted number. How did they get that?

 

[maxxodd]

I agree that Apple 2FA is less than perfect (would much prefer if they simply used TOTP codes so we could use an authenticator app of our choice, and allowed us to generate backup codes), but I have one question: you described above how the hackers remotely accessed your Mac and then changed the trusted phone number associated with the account. But how did they do that? I just checked and my Mac asks for the user password if you want to add a trusted number. How did they get that?

It was a year ago, so I can't recall the exact steps, but I think it was resetting the password for the icloud account with a trusted device (thus circumventing the 2FA), adding a phone number (they were able to simply use their new password), removing the old phone number, removing all trusted devices.

 

[Rigby]

It was a year ago, so I can't recall the exact steps, but I think it was resetting the password for the icloud account with a trusted device (thus circumventing the 2FA), adding a phone number (they were able to simply use their new password), removing the old phone number, removing all trusted devices.

From what I can see on iforgot.apple.com, you can only reset the password on an account with 2FA if you control the trusted phone number, but that in turn can only be changed if you not only have access to a trusted device, but also know its passcode (for an iOS device) or user password (for a Mac). So the hackers got access to your Mac via VNC and thus had access to a trusted device, but how did they figure out the Mac's password? Just trying to understand if there is anything we can do to better protect our accounts ...

 

[maxxodd]

From what I can see on iforgot.apple.com, you can only reset the password on an account with 2FA if you control the trusted phone number, but that in turn can only be changed if you not only have access to a trusted device, but also know its passcode (for an iOS device) or user password (for a Mac). So the hackers got access to your Mac via VNC and thus had access to a trusted device, but how did they figure out the Mac's password? Just trying to understand if there is anything we can do to better protect our accounts ...

You bring up a good point. They need to guess both the VNC password as well as the Mac OS account password. I imagine that they use brute force techniques given that Mac's screen sharing doesn't allow for locking someone out after so many failed attempts or alerting the admin. It would be nice if this was a feature.

I've switched to VPN which is what I should have been doing all along.

 

[chabig]

I use Screens as my VNC client and have an encrypted SSH connection between the two machines. An attacker would need more than just the login password to get in.

 

[Tech198]

Completely agree - part of me thinks there probably is the ability for certain (VIP) customers but they don't want to get into the business of Apple ID resets/don't want people to think that Apple have a backdoor.

Ya, but you may have all the proof in the world to verify, but rules are still rules by Apple's standard... Just verifying by verbal may not always be enough. Now you have a person with 2FA, that also demonstrates they enabled it for secury, so equally as important to 'verify that trusted device' plays a role too, in order to get it back.

 

[Dean402002]

2FA is useless it does not secure devices only apple account and makes it more of a pain with anything but the latest iOS devices